Based off of this discussion, I've written up my workflow with KeePassXC, KeePass, and KeePass2Android. I'm not totally happy with the writing, but I thought it might help some people make the...
Based off of this discussion, I've written up my workflow with KeePassXC, KeePass, and KeePass2Android. I'm not totally happy with the writing, but I thought it might help some people make the jump to managing their passwords with a computer. Obviously, comments and questions are welcome!
Thanks for this, was going to ask what some other people's experiences are with them. I know I should use one, but it still feels a bit... Wrong to have all my passwords in one place, will take a...
Thanks for this, was going to ask what some other people's experiences are with them. I know I should use one, but it still feels a bit... Wrong to have all my passwords in one place, will take a read through.
If you're on the fence and unsure about using a password manager, there was a topic yesterday that is probably worth reading too: https://tildes.net/~tech/ans/is_a_password_manager_essential
Thanks for reading! Yeah, it feels like having them all in one place is like the State of the Union: if an attacker wanted to, they could compromise all of your passwords at once. However, that...
Thanks for reading!
Yeah, it feels like having them all in one place is like the State of the Union: if an attacker wanted to, they could compromise all of your passwords at once. However, that would take a concerted effort by someone who wants to attack you specifically, which I'm not too concerned with, myself.
I think the security bonuses of having truly random passwords (that even I don't know!) for all of my accounts is a value well worth the small risk of someone figuring out all my passwords. (Plus, if I do fear that my master password will be compromised, I can use a copy of my database to go through and change all my passwords as fast as I can.)
Thanks for the appreciation and feedback! I mean that, when using a browser-based password manager like Firefox Sync, I would only need to navigate to, say, gmail.com, and the user and password...
Thanks for the appreciation and feedback! I mean that, when using a browser-based password manager like Firefox Sync, I would only need to navigate to, say, gmail.com, and the user and password field would be pre-populated with my email address and password. Using KeePass, I have to actually type Ctrl-Alt-A to do the same thing, which is slightly more hassle.
You can use a browser extension + keepass plugin (or KeepassXC) to get KP into your browser. It'll match the URL in the entry to the current URL and allow you to either prefill the login or offer...
You can use a browser extension + keepass plugin (or KeepassXC) to get KP into your browser. It'll match the URL in the entry to the current URL and allow you to either prefill the login or offer an autocomplete.
Though I would genereally recommend against automatically prefilling logins, I don't feel safe knowing that the login data may be entered without my interaction.
Even with whitelisting I wouldn't feel safe (in case of vulnerabilities). Though for most people the whitelist should be sufficient in terms of security.
Even with whitelisting I wouldn't feel safe (in case of vulnerabilities). Though for most people the whitelist should be sufficient in terms of security.
Based off of this discussion, I've written up my workflow with KeePassXC, KeePass, and KeePass2Android. I'm not totally happy with the writing, but I thought it might help some people make the jump to managing their passwords with a computer. Obviously, comments and questions are welcome!
Thanks for this, was going to ask what some other people's experiences are with them. I know I should use one, but it still feels a bit... Wrong to have all my passwords in one place, will take a read through.
If you're on the fence and unsure about using a password manager, there was a topic yesterday that is probably worth reading too:
https://tildes.net/~tech/ans/is_a_password_manager_essential
Thanks for reading!
Yeah, it feels like having them all in one place is like the State of the Union: if an attacker wanted to, they could compromise all of your passwords at once. However, that would take a concerted effort by someone who wants to attack you specifically, which I'm not too concerned with, myself.
I think the security bonuses of having truly random passwords (that even I don't know!) for all of my accounts is a value well worth the small risk of someone figuring out all my passwords. (Plus, if I do fear that my master password will be compromised, I can use a copy of my database to go through and change all my passwords as fast as I can.)
This is pretty cool. If you don't want to use something like Apple's keychain, 1Password, or roll your own, definitely give this a read at the least.
What's your opinion on Bitwarden? It's open source, can be self hosted and it's sync works perfectly out of the box.
Bitwarden recently had a security audit that didn't find any major vulnerabilities, and from my expirience it works really well
I use bitwarden and like it a lot.
Can't speak to it as I haven't used it. I was either using my own thing based on gpg and some shell scripts or Apple's keychain when it was released.
Ever try KeeWeb? It's compatible with KeePass databases and looks a lot prettier and retains the main features.
I haven't, no! And it looks pretty good, but is electron. I might try it out later on if I have time.
Thanks for the appreciation and feedback! I mean that, when using a browser-based password manager like Firefox Sync, I would only need to navigate to, say, gmail.com, and the user and password field would be pre-populated with my email address and password. Using KeePass, I have to actually type Ctrl-Alt-A to do the same thing, which is slightly more hassle.
You can use a browser extension + keepass plugin (or KeepassXC) to get KP into your browser. It'll match the URL in the entry to the current URL and allow you to either prefill the login or offer an autocomplete.
Though I would genereally recommend against automatically prefilling logins, I don't feel safe knowing that the login data may be entered without my interaction.
Even with whitelisting I wouldn't feel safe (in case of vulnerabilities). Though for most people the whitelist should be sufficient in terms of security.